A use‑after‑free flaw in ANGLE, the graphics layer used by Google Chrome, allowed a remote attacker to trigger arbitrary code execution inside the browser sandbox by serving a crafted HTML page. The weakness, identified as CWE‑416 and CWE‑825, means that memory freed earlier than intended could be accessed again, potentially allowing tampering with control flow and elevation of privilege within the sandbox. Because the flaw can be triggered by content loaded from an arbitrary web page, the impact is the execution of malicious code on the affected device.

The vulnerability affects Google Chrome for desktop on all operating systems where Chrome runs ANGLE before version 148.0.7778.216. Users of earlier Chrome builds are vulnerable; the issue was fixed in Chrome 148.0.7778.216 and later.

Chromium assigns this flaw a Critical severity, reflected in a CVSS score of 8.8, and the absence of an EPSS score indicates that public exploit data is not yet available. Nonetheless, the flaw can be exploited remotely over the network by visiting a malicious or compromised site that supplies the crafted HTML. Because Chrome’s sandbox is designed to be confined, an attacker would still gain code execution inside that sandbox, which can be leveraged for further lateral movement or data exfiltration. The flaw is not listed in CISA’s KEV catalog, but the likely attack vector is any web content that a user loads, making proactive patching essential.